Skip to content
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 

Tenda Router AC Series Vulnerability

This vulnerability lies in the /goform/setWAN page which influences the lastest version of Tenda Router AC11. (AC11_V02.03.01.104_CN)

Vulnerability description

3

There is a stack buffer overflow vulnerability in the PPPoE module.

1

the program reads user input wanPPPoEUser into variable v16 and uses nvram_set function to set the nvram variable wan0_pppoe_username, without porper length check.

2

the prograrm will then use nvram_get function to put that input into variable v63 and copy to destination 0x804948B5, which will cause a stack overflow.

So by POSTing the page /goform/setWAN with proper wanPPPoEUser, the attacker can easily perform a Deny of Service Attack or Remote Code Execution with carefully crafted overflow data.

POC

poc

Timeline

  • 2022.01.09 report to CVE & CNVD
  • 2022.02.07 CNVD ID assigned: CNVD-2022-08889
  • 2022.02.16 CVE ID assigned: CVE-2021-46262

Acknowledgment

Credit to @cpegg, @leonW7 and @peanuts from Shanghai Jiao Tong University and TIANGONG Team of Legendsec at Qi'anxin Group.